Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

Surge in 'Viknok' infections bolsters click fraud campaign

Researchers detected over 16,500 Viknok infections in the first week of May alone.

A trojan called “Viknok,” which targets Windows users' online banking credentials, is currently being used to further click fraud scams, researchers found.

First detected in April 2013, Viknok has now been attributed to over 16,500 infections that occurred in the first week of May, alone. On Thursday, Andrea Lelli, a researcher at Symantec, revealed in a blog post that scammers had increasingly leveraged the trojan over the past six months, though an actual “spike” in infections was detected last month when 22,000 infections occurred.

Lelli added that the majority of victims struck in early May were in the U.S.

According to Lelli, the trojan targets DLL [dynamic link library] files with a malicious payload and has "evolved into a sophisticated threat capable of obtaining elevated operating system privileges," in order to infect files on multiple Windows platforms, including the 32 and 64-bit versions of Windows XP, Vista and 7.

Once the trojan infects users, attackers use the malware to bolster click fraud campaigns where users are unknowingly redirected to ads. Symantec noted that some victims heard “random audio playback through their compromised computers,” due to various ads that played in the background.

Of note, Viknok uses a number of tricks to silently infect core system files, Lelli wrote, but the “most powerful” technique entails exploitation of a Windows privilege escalation vulnerability (CVE-2013-3600). This exploit allows Viknok to run code in kernel mode, she explained.

“The threat's purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts,” Lelli wrote. “The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.”

On Thursday, Satnam Narang, a security response manager at Symantec, told SCMagazine.com in an interview that researchers are still investigating how saboteurs delivered Viknok to users' computers.

In his expert opinion, however, scammers often deliver such threats via exploit kits which take advantage of users running vulnerable software.

“I think it's probably an exploit kit delivering [Viknok] through a downloader,” Narang said. “Typically we see that, but we are still investigating.”

As Viknok targets multiple Windows platforms, Satnam advised users to keep their systems updated with the latest patches to avoid infection. He also recommended that users implement security software that can protect and repair targeted files.

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.